Scams & Phishing News Phishing poses as big-brand job interview to steal Google accounts

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,048
5,601
2,168
Germany
A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals.

The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page.

To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies.

Will Thomas, senior advisor at cybersecurity intelligence and threat hunting company Team Cymru, analyzed the campaign and discovered that the phishing email pretends to be from “a recruiter looking to hire people for marketing roles.”

The researcher uncovered that the threat actor is using at least 34 domains impersonating high-value companies in the following sectors:

Airlines and travel: American Airlines, Booking.com, Delta Air Lines, United Airlines
Food and beverage: Coca-Cola, PepsiCo, Red Bull
Apparel and luxury goods: Adidas, Louis Vuitton, Sephora, Levis
Staffing, consulting, and tech: Adobe, Aquent, ManpowerGroup, McKinsey & Company, OpenAI
Hospitality and marketing: Marriott, Omnicom Group
Entertainment and sports: FIFA, Netflix
Thomas found that the campaign relies on nested redirects, a technique that routes visitors through multiple legitimate services before reaching the malicious landing page.
Read more:
 
Read more:
This campaign highlights a growing trend where attackers abuse legitimate SaaS platforms to bypass email security filters and add a false sense of trust for the recipient.

Why This Campaign Is Effective

  • Using a legitimate platform like PeopleForce means the initial email may pass SPF/DKIM/DMARC checks and avoid reputation-based blocklists, since the sending infrastructure itself is not malicious.
  • Nested redirects through multiple trusted services make automated URL scanning and sandboxing less reliable, since each hop may look benign in isolation.
  • Impersonating real recruiters with real names and photos adds a strong social engineering layer, since victims tend to verify at the "who is this from" level and stop there rather than checking the destination domain.
  • Targeting marketing professionals specifically is notable, since this group often manages high-value accounts, advertising budgets, and brand social media, making Google account takeover particularly damaging.

Practical Recommendations

  • Always verify recruiter outreach through a second channel, such as the official company careers page or LinkedIn, rather than trusting contact details in the email itself.
  • Hover over links before clicking, and pay attention to the final domain after any redirect chain, not just the first link.
  • Enable two factor authentication on Google accounts, ideally using a hardware security key or authenticator app rather than SMS, since credential phishing pages often cannot bypass FIDO2 based authentication.
  • Be cautious of any "interview" flow that asks you to log in with Google credentials on a page that is not accounts.google.com.

If You Suspect You Entered Credentials on a Fake Page

  • Change the Google account password immediately from a trusted device.
  • Review account activity and connected apps under Google Account security settings.
  • Revoke any unfamiliar sessions or OAuth grants.
  • Consider running a reputable antivirus or anti malware scan in case the redirect chain also attempted to deliver a payload.

Community members who receive similar phishing attempts are encouraged to share sanitized headers or landing page URLs so they can be added to blocklists and cross referenced with the domains Will Thomas identified.

Sources
 
😮That’s amazingly good. The “giveaways” are the domain info—email domain, landing page domain, if you bother to check and believe corporates don’t make mistakes—and the Google OAuth page, if you bother (or have references) to compare with the real one. Better check with an official second channel nowadays.
 

You may also like...